bakery

package
v0.0.0-...-e872c33 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 12, 2014 License: BSD-3-Clause Imports: 13 Imported by: 0

Documentation

Overview

The bakery package layers on top of the macaroon package, providing a transport and storage-agnostic way of using macaroons to assert client capabilities.

Index

Constants

View Source 
const KeyLen = 32

KeyLen is the byte length of the Ed25519 public and private keys used for caveat id encryption.

View Source 
const NonceLen = 24

NonceLen is the byte length of the nonce values used for caveat id encryption.

Variables

View Source 
var ErrNotFound = errors.New("item not found")

Functions

func DischargeAll 

func DischargeAll(
	m *macaroon.Macaroon,
	getDischarge func(firstPartyLocation string, cav macaroon.Caveat) (*macaroon.Macaroon, error),
) ([]*macaroon.Macaroon, error)

DischargeAll gathers discharge macaroons for all the third party caveats in m (and any subsequent caveats required by those) using getDischarge to acquire each discharge macaroon.

Types

type Caveat 

type Caveat struct {
	Location  string
	Condition string
}

Caveat represents a condition that must be true for a check to complete successfully. If Location is non-empty, the caveat must be discharged by a third party at the given location. This differs from macaroon.Caveat in that the condition is not encrypted.

type CaveatNotRecognizedError 

type CaveatNotRecognizedError struct {
	Caveat string
}

func (*CaveatNotRecognizedError) Error 

func (e *CaveatNotRecognizedError) Error() string

type FirstPartyChecker 

type FirstPartyChecker interface {
	CheckFirstPartyCaveat(caveat string) error
}

FirstPartyChecker holds a function that checks first party caveats for validity.

If the caveat kind was not recognised, the checker should return ErrCaveatNotRecognised.

type FirstPartyCheckerFunc 

type FirstPartyCheckerFunc func(caveat string) error

func (FirstPartyCheckerFunc) CheckFirstPartyCaveat 

func (c FirstPartyCheckerFunc) CheckFirstPartyCaveat(caveat string) error

type Key 

type Key [KeyLen]byte

Key is a 256-bit Ed25519 private key.

type KeyPair 

type KeyPair struct {
	Public  PublicKey
	Private Key
}

KeyPair holds a public/private pair of keys. TODO(rog) marshal/unmarshal functions for KeyPair

func GenerateKey 

func GenerateKey() (*KeyPair, error)

GenerateKey generates a new key pair.

func (*KeyPair) String 

func (key *KeyPair) String() string

String implements the fmt.Stringer interface.

type NewServiceParams 

type NewServiceParams struct {
	// Location will be set as the location of any macaroons
	// minted by the service.
	Location string

	// Store will be used to store macaroon
	// information locally. If it is nil,
	// an in-memory storage will be used.
	Store Storage

	// Key is the public key pair used by the service for
	// third-party caveat encryption.
	Key *KeyPair

	// Locator provides public keys for third-party services by location when
	// adding a third-party caveat.
	// It may be nil, in which case, no third-party caveats can be created.
	Locator PublicKeyLocator
}

NewServiceParams holds the parameters for a NewService call.

type PublicKey 

type PublicKey [KeyLen]byte

PublicKey is a 256-bit Ed25519 public key.

type PublicKeyLocator 

type PublicKeyLocator interface {
	// PublicKeyForLocation returns the public key matching the caveat or
	// macaroon location. It returns ErrNotFound if no match is found.
	PublicKeyForLocation(loc string) (*PublicKey, error)
}

PublicKeyLocator is used to find the public key for a given caveat or macaroon location.

type PublicKeyLocatorMap 

type PublicKeyLocatorMap map[string]*PublicKey

PublicKeyLocatorMap implements PublicKeyLocator for a map. Each entry in the map holds a public key value for a location named by the map key.

func (PublicKeyLocatorMap) PublicKeyForLocation 

func (m PublicKeyLocatorMap) PublicKeyForLocation(loc string) (*PublicKey, error)

PublicKeyForLocation implements the PublicKeyLocator interface.

type PublicKeyRing 

type PublicKeyRing struct {
	// contains filtered or unexported fields
}

PublicKeyRing stores public keys for third-party services, accessible by location string.

func NewPublicKeyRing 

func NewPublicKeyRing() *PublicKeyRing

NewPublicKeyRing returns a new PublicKeyRing instance.

func (*PublicKeyRing) AddPublicKeyForLocation 

func (kr *PublicKeyRing) AddPublicKeyForLocation(loc string, prefix bool, key *PublicKey)

AddPublicKeyForLocation adds a public key to the keyring for the given location or location prefix. It is safe to call methods concurrently on this type.

func (*PublicKeyRing) PublicKeyForLocation 

func (kr *PublicKeyRing) PublicKeyForLocation(loc string) (*PublicKey, error)

PublicKeyForLocation implements the PublicKeyLocator interface.

type Request 

type Request struct {
	// contains filtered or unexported fields
}

Request represents a request made to a service by a client. The request may be long-lived. It holds a set of macaroons that the client wishes to be taken into account.

Methods on a Request may be called concurrently with each other.

func (*Request) AddClientMacaroon 

func (req *Request) AddClientMacaroon(m *macaroon.Macaroon)

AddClientMacaroon associates the given macaroon with the request. The macaroon will be taken into account when req.Check is called.

TODO(rog) provide a way of deleting client macaroons?

func (*Request) Check 

func (req *Request) Check() error

Check checks that the macaroons presented by the client verify correctly. If the verification fails in a way which might be remediable (for example by the addition of additional dicharge macaroons), it returns a VerificationError that describes the error.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service represents a service which can use macaroons to check authorization.

func NewService 

func NewService(p NewServiceParams) (*Service, error)

NewService returns a new service that can mint new macaroons and store their associated root keys.

func (*Service) AddCaveat 

func (svc *Service) AddCaveat(m *macaroon.Macaroon, cav Caveat) error

AddCaveat adds a caveat to the given macaroon.

If it's a third-party caveat, it uses the service's caveat-id encoder to create the id of the new caveat.

func (*Service) Discharge 

func (svc *Service) Discharge(checker ThirdPartyChecker, id string) (*macaroon.Macaroon, error)

Discharge creates a macaroon that discharges the third party caveat with the given id. The id should have been created earlier by a Service. The condition implicit in the id is checked for validity using checker, and then if valid, a new macaroon is minted which discharges the caveat, and can eventually be associated with a client request using AddClientMacaroon.

func (*Service) Location 

func (svc *Service) Location() string

Location returns the service's configured macaroon location.

func (*Service) NewMacaroon 

func (svc *Service) NewMacaroon(id string, rootKey []byte, caveats []Caveat) (*macaroon.Macaroon, error)

NewMacaroon mints a new macaroon with the given id and caveats. If the id is empty, a random id will be used. If rootKey is nil, a random root key will be used. The macaroon will be stored in the service's storage.

func (*Service) NewRequest 

func (svc *Service) NewRequest(checker FirstPartyChecker) *Request

NewRequest returns a new client request object that uses checker to verify caveats.

func (*Service) Store 

func (svc *Service) Store() Storage

Store returns the store used by the service.

type Storage 

type Storage interface {
	// Put stores the item at the given location, overwriting
	// any item that might already be there.
	// TODO(rog) would it be better to lose the overwrite
	// semantics?
	Put(location string, item string) error

	// Get retrieves an item from the given location.
	// If the item is not there, it returns ErrNotFound.
	Get(location string) (item string, err error)

	// Del deletes the item from the given location.
	Del(location string) error
}

Storage defines storage for macaroons. Calling its methods concurrently is allowed.

func NewMemStorage 

func NewMemStorage() Storage

NewMemStorage returns an implementation of Storage that stores all items in memory.

type ThirdPartyChecker 

type ThirdPartyChecker interface {
	CheckThirdPartyCaveat(caveatId, caveat string) ([]Caveat, error)
}

ThirdPartyChecker holds a function that checks third party caveats for validity. If the caveat is valid, it returns a nil error and optionally a slice of extra caveats that will be added to the discharge macaroon. The caveatId parameter holds the still-encoded id of the caveat.

If the caveat kind was not recognised, the checker should return ErrCaveatNotRecognised.

type ThirdPartyCheckerFunc 

type ThirdPartyCheckerFunc func(caveatId, caveat string) ([]Caveat, error)

func (ThirdPartyCheckerFunc) CheckThirdPartyCaveat 

func (c ThirdPartyCheckerFunc) CheckThirdPartyCaveat(caveatId, caveat string) ([]Caveat, error)

type VerificationError 

type VerificationError struct {
	Reason error
}

func (*VerificationError) Error 

func (e *VerificationError) Error() string

Source Files

View all Source files

Directories

Path Synopsis
The checkers package provides some standard caveat checkers and checker-combining functions.
 The checkers package provides some standard caveat checkers and checker-combining functions.
This example demonstrates three components: - A target service, representing a web server that wishes to use macaroons for authorization.
 This example demonstrates three components: - A target service, representing a web server that wishes to use macaroons for authorization.
idservice
meeting

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.